HTML5 Privacy: Transparency in a Complex On-Line World

Today the University of California Berkeley Center for Law & Technology held a Browser Privacy Mechanisms Roundtable with participants from government, including Commissioner Julie Brill and Chief Technologist Ed Felten from the US Federal Trade Commission, academia, and industry, including Microsoft. Privacy spans technology and policy, and conversations that reflect these different points of view are important to have publicly.

During the sessions, Microsoft announced that it is bringing our HTML5 Privacy design to the W3C for standardization. We’ve done this as a result of conversations on this topic with the W3C. As HTML5 enables innovation, we want to make sure it respects consumer privacy as well. Bringing Tracking Protection and related technology – like a persistent user setting about tracking preferences – to the W3C is important for a consistent and interoperable approach to privacy for developers and consumers alike. Standardizing how consumers signal their desire to not be tracked is important in the long term, especially when combined with clearer industry definitions of tracking and new laws and regulations that could help law enforcement protect consumers in some scenarios.

Starting with Consumers

A good place to start is with consumers on the Web. Consumers are increasingly wary, often out of necessity. In addition to rich Web content and Web applications, they face security risks like malicious sites and phishing scams. Even on sites consumers know and trust, bad things often happen. It’s easy to almost follow a bad link from a friend on Facebook, or become a victim of malvertising when a malicious advertisement appears on an otherwise trustworthy site. These patterns of justified consumer skepticism started long ago, when some sites started popping up windows that users did not want. Consumer empowerment started with pop-up blockers and moved on to many other forms of protection, from malware and phishing to XSS and clickjacking and many others. In light of all these issues, it’s understandable that consumers hesitate before trusting anyone on the Web.

Consumers have become increasingly concerned about privacy. This diagram of the technology landscape shows how incredibly complex the privacy conversation is today. To be absolutely clear: advertising is perfectly legitimate Web content. Many consumers appreciate it for many different reasons, from underwriting the cost of the content they read to making them more aware of relevant products and services. The consumer concern involves the transparency and control around the information collected and used.

Our Approach

Our approach to privacy in IE9 reflects this consumer context and our experience over the years on other trust issues like security and reliability.

IE9 enables consumers to express their preference for privacy and gives consumers a mechanism to enforce specific aspects of that preference. Consumers can do this by choosing Tracking Protection Lists from organizations they trust. These lists can block and allow third-party content in order to control what information consumers share with sites as they browse the Web. By controlling the flow of information to sites, these Tracking Protection Lists help users protect their privacy. Unlike other solutions, IE9’s benefits users even if Web sites do not respect the user’s preference to not be tracked. The ability for a site to determine that the user has expressed a desire to not be tracked (by turning the feature on) is inherent in the design of Tracking Protection.

We’re working closely with many organizations to make sure that Tracking Protection Lists are available for consumers from organizations that they can trust. Much as consumers choose where they get their news or their product review information, consumers now have a choice around what third-party sites get their information as they browse the Web. As the tracking discussion continues, these lists will evolve as well.

Improving privacy online is an ongoing conversation with many parties. We will continue to listen and participate.

@johnny3-yes they snuck it into the end of a post (about 3 or 4 ago) the RC will be released tomorrow. The sad thing is… If it doesn't contain major fixes since the last beta it will not be HTML5 compliant.

As for this article you made lots of valid points until you added this line.

Many consumers appreciate it?!?!?!?! Wow! Who left the helium valve open in seattle?

Unless you've been completely blind to the add-on marketplace that other browser vendors excel at… The #1 add-on downloaded by consumers and businesses is an Ad-blocker!

Then again we know that Microsoft does not care about the consumer at all because they were the browser vendor that invented and implemented the only chrome less popup window call in a browser (createPopup() for the uninformed).

Not only was it a major usability issue and a gold mine for shady advertisers of malware and the like but it was completely against the specs and conformed to no official standard. Even to this day the remaining window.open() method doesn't follow the specs.

Microsoft has still not fixed the privacy issue in windows XP with windows media player revealing your viewing history that was documented with fully repeatable test cases YEARS ago!

Maybe IE9 will be a major overhaul in privacy but it is well known in security circles that if you value your privacy then you need to make sure you are NOT using IE and instead are using a more secure browser that isn't tied to the operating system, revealing all your info to anyone that wants access.

I seriously hope the RC is a Massive improvement over the alpha "betas" we've seen so far.

May I ask for clarity on this line " The ability for a site to determine that the user has expressed a desire to not be tracked (by turning the feature on) is inherent in the design of Tracking Protection" Does this mean the browser/session will not pass certain information to the site? vs the site having a ..do not save.. on the session info

I appreciate advertising. I appreciate the fact that advertisements pay for most of the content I consume online. Beyond my browser's built-in popup blocker I've never done anything to block advertisements. I'd much rather not view ads, but they're pretty harmless.

Hello, i know this isn't post related and all but… I heard Windows 7 service pack 1 is coming out soon. Will the size of it be over 1GB or below? AND When I Install sp1 how much free space will i have.. i have 107GB free of 136GB will it go down to 99GB or 106GB? i am worried Please tell me

Many sites fund their server costs through advertising. Those sites are presented to you FREE because of the advertises. By blocking adverts, you are not only "leeching off" the sites from their revenue, you are endangering a lot of useful free sites from their very existence. If you can't appreciate the ads, you lack substance in your brain and unfortunately, a lot of "consumers" fall in to your category.

@Arieta – no @Dave is right. When Microsoft goes live with IE9 (either at the RC stage or the RTM stage) they will try and claim that IE "supports HTML5" and that IE9 has "the most complete HTML5 implementation" – both of those statements will be wildly inaccurate!

@@Dave – You are obviously unaware how web advertising works. The people that use ad-blockers are a special kind of people I like to call "not-a-retard". They had no intention of buying anything before they saw the ads and they have no intention of buying anything after they saw the ads, and just like me, they have never clicked on an ad because they have no intention to buy anything.

There is nothing to "appreciate" in an ad. If you think there is, then you **must** work for an advertiser because no-one in the "sane" part of the planet goes…hmm, I wish when I went to Google to do a search that the home page was covered in ads. I would really appreciate that.

@Julian: HTML5 is still far from complete, in fact it is used as a buzzword for a ton of technologies not even related to HTML5. According to the w3c test sheets, IE9 is the most compatible at the moment. However HTML5 itself is still work in progress, so it's entirely possible that half a year from now, every current browser will have a broken implementation, if they change so many things in that time. So it's utterly futile to claim that your browser supports a standard when that standard is is a work-in-progress to begin with. The same goes for any other browser claiming HTML5 compliance too. You can't be HTML5 compliant right now. At best you can have a good implementation of the current state of the HTML5 standard.

It is entirely possible that IE9 may have the best or most complete HTML5 support at time of release.

The problem is just that it will get outclassed fast because other browsers are updated much more often, and have a much more effective self-update system to keep things up-to-date.